b"                        U.S. Department of Agriculture\n                           Office of Inspector General\n                           Financial Audit Operations\n\n\n\n\n   Statement on Standards for Attestation\nEngagements No. 16 Report on Controls at the\n          National Finance Center\n\n\n\n\n                                        Report 11401-2-11\n                                          September 2011\n\x0c                          United States Department of Agriculture\n                                 Office of Inspector General\n                                   Washington, D.C. 20250\n\n\n\n\nDATE:         September 23, 2011\n\nAUDIT\nNUMBER:       11401-2-11\n\nTO:           Jon M. Holladay\n              Acting Chief Financial Officer\n              Office of the Chief Financial Officer\n\nATTN:         Kathleen A. Donaldson\n              Audit Liaison Officer\n\nFROM:         Gil H. Harden /s/\n              Assistant Inspector General\n                for Audit\n\nSUBJECT:      Statement on Standards for Attestation Engagements No. 16 Report on Controls at\n              the National Finance Center\n\n\nThis report presents the results of our Statement on Standards for Attestation Engagements\nNo. 16 examination for the Department of Agriculture\xe2\x80\x99s National Finance Center (NFC). Our\nexamination was conducted in accordance with Government Auditing Standards, issued by the\nComptroller General of the United States, and relevant attestation standards established by the\nAmerican Institute of Certified Public Accountants. This report contains NFC management\xe2\x80\x99s\nsystem description and assertion about whether the description is fairly presented and controls\nare suitably designed and operating effectively to achieve control objectives stated in the\ndescription throughout the period from October 1, 2010, through July 31, 2011. Additionally,\nthe report includes our unqualified opinion on NFC\xe2\x80\x99s controls based on the criteria described in\nits assertion. Furthermore, the report does not contain recommendations. The projection of any\nconclusions based on our engagement to future periods is subject to the risk that changes may\nalter the validity of such conclusions. This report is intended solely for NFC as well as user\nentities of NFC payroll/personnel and/or application hosting systems during the specified period\nand their independent auditors.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff during\nthis engagement.\n\x0cTable of Contents\n\nExecutive Summary .................................................................................................1\nIndependent Service Auditors\xe2\x80\x99 Report ..................................................................2\nAbbreviations ...........................................................................................................5\nExhibit A: National Finance Center - Management\xe2\x80\x99s System Description.......6\nExhibit B: National Finance Center - Management\xe2\x80\x99s Assertion......................27\nExhibit C: Independent Service Auditor\xe2\x80\x99s Description of Tests of the National\nFinance Center Controls .......................................................................................29\n\x0cExecutive Summary\nStatement on Standards for Attestation Engagements No. 16 Report on Controls at the\nNational Finance Center (Report 11401-2-11)\n\nResults in Brief\nThis report presents the results of our Statement on Standards for Attestation Engagements\nNo. 16 engagement for the Department of Agriculture\xe2\x80\x99s National Finance Center (NFC). Our\nexamination was conducted in accordance with Government Auditing Standards, issued by the\nComptroller General of the United States, and relevant attestation standards established by the\nAmerican Institute of Certified Public Accountants.\n\nNFC provided us with a description of its payroll/personnel and application hosting systems for\nthe period from October 1, 2010, through July 31, 2011, included as exhibit A, and an assertion,\nincluded as exhibit B, about the subject matter of our engagement. Our objectives were to obtain\nreasonable assurance about whether, in all material respects, based on suitable criteria, (1)\nmanagement's description of NFC systems fairly presents the systems that were designed and\nimplemented throughout the period specified in the description; (2) the controls related to the\ncontrol objectives stated in the description of NFC systems were suitably designed throughout\nthe specified period; and (3) the controls operated effectively to provide reasonable assurance\nthat the control objectives stated in the description of NFC systems were achieved throughout the\nspecified period.\n\nIn our opinion, in all material respects, based on the criteria described in NFC\xe2\x80\x99s assertion, the\ndescription fairly presents NFC payroll/personnel processing and application hosting systems\nthat were designed and implemented throughout the period from October 1, 2010, to July 31,\n2011. Also, in our opinion, the controls included in the description were suitably designed and\noperating effectively to provide reasonable assurance that the associated control objectives\nwould be achieved from October 1, 2010, to July 31, 2011, if user entities effectively applied the\ncomplementary controls contemplated in the design of NFC controls throughout this period.\n\nRecommendation Summary\nWe do not make any recommendations in this report.\n\n\n\n\n Report 11401-2-11                                                                             1\n\x0cIndependent Service Auditors\xe2\x80\x99 Report\nTo:     Jon M. Holladay\n        Acting Chief Financial Officer\n        Office of the Chief Financial Officer\n\nScope\nWe have examined the Department of Agriculture National Finance Center\xe2\x80\x99s (NFC) description\nof its payroll/personnel and application hosting systems throughout the period from October 1,\n2010 to July 31, 2011, included as exhibit A, and the suitability of the design and operating\neffectiveness of controls to achieve the related control objectives stated in the description. The\ndescription indicates that certain control objectives specified in the description can be achieved\nonly if complementary user entity controls contemplated in the design of NFC controls are\nsuitably designed and operating effectively, along with related controls at NFC. We have not\nevaluated the suitability of the design or operating effectiveness of such complementary user\nentity controls.\n\nNFC used subservice organizations to help support general controls related to payroll/personnel\nprocessing and application hosting. The description in exhibit A includes only the controls and\nrelated control objectives of NFC and excludes the control objectives and related controls of the\nspecified subservice organizations. Our examination did not extend to controls at the subservice\norganizations specified in the NFC system description.\n\nNFC\xe2\x80\x99s Responsibilities\nNFC has provided an assertion, included as exhibit B, about the fair presentation of the\ndescription and the suitability of the design and operating effectiveness of the controls to achieve\nthe related control objectives stated in the description. NFC is responsible for preparing the\ndescription and for the assertion, including the completeness, accuracy, and method of\npresentation of the description and the assertion; providing the services covered by the\ndescription; specifying the control objectives and stating them in the description; identifying the\nrisks that threaten the achievement of the control objectives; selecting the criteria; and designing,\nimplementing, and documenting controls to achieve the related control objectives stated in the\ndescription.\n\nOffice of Inspector General\xe2\x80\x99s Responsibilities\nOur responsibility is to express an opinion on the fairness of the presentation of the description\nand on the suitability of the design and operating effectiveness of the controls to achieve the\nrelated control objectives stated in the description, based on our examination. We conducted our\nexamination in accordance with Government Auditing Standards issued by the Comptroller\nGeneral of the United States, and relevant attestation standards established by the American\nInstitute of Certified Public Accountants. Those standards require that we plan and perform our\nexamination to obtain reasonable assurance about whether, in all material respects, the\ndescription is fairly presented and the controls were suitably designed and operating effectively\n\n\n\n\n Report 11401-2-11                                                                                2\n\x0cto achieve the related control objectives stated in the description throughout the period from\nOctober 1, 2010 to July 31, 2011.\n\nAn examination of a description of a service organization\xe2\x80\x99s systems and the suitability of the\ndesign and operating effectiveness of the service organization\xe2\x80\x99s controls to achieve the related\ncontrol objectives stated in the description involves performing procedures to obtain evidence\nabout the fairness of the presentation of the description and the suitability of the design and\noperating effectiveness of those controls to achieve the related control objectives stated in the\ndescription. Our procedures included assessing the risks that the description is not fairly\npresented and that the controls were not suitably designed or operating effectively to achieve the\nrelated control objectives stated in the description. Our procedures also included testing the\noperating effectiveness of those controls that we consider necessary to provide reasonable\nassurance that the related control objectives stated in the description were achieved. An\nexamination engagement of this type also includes evaluating the overall presentation of the\ndescription and the suitability of the control objectives stated therein, and the suitability of the\ncriteria specified by the service organization and described in exhibit B. We believe that the\nevidence we obtained is sufficient and appropriate to provide a reasonable basis for our opinion.\n\nInherent Limitations\nBecause of their nature, controls at a service organization may not prevent, or detect and correct,\nall errors or omissions in processing or reporting associated with NFC payroll/personnel and\napplication hosting systems. Also, the projection to the future of any evaluation of the fairness\nof the presentation of the description, or conclusions about the suitability of the design or\noperating effectiveness of the controls to achieve the related control objectives, is subject to the\nrisk that controls at a service organization may become inadequate or fail.\n\nOpinion\nIn our opinion, in all material respects, based on the criteria described in NFC\xe2\x80\x99s assertion in\nexhibit B:\n\n   \xc2\xb7   The description fairly presents the NFC payroll/personnel and application hosting\n       systems that were designed and implemented throughout the period from October 1,\n       2010, to July 31, 2011.\n\n   \xc2\xb7   The controls related to the control objectives stated in the description were suitably\n       designed to provide reasonable assurance that the control objectives would be achieved if\n       the controls operated effectively throughout the period from October 1, 2010, to July 31,\n       2011, and user entities applied the complementary controls contemplated in the design of\n       NFC controls throughout the period from October 1, 2010, to July 31, 2011.\n\n\n\n\n Report 11401-2-11                                                                                3\n\x0c     \xc2\xb7   The controls we tested, which were those NFC controls necessary to provide reasonable\n         assurance that the control objectives stated in the description were achieved1, operated\n         effectively throughout the period from October 1, 2010, to July 31, 2011.\n\nDescription of Tests of Controls\nThe specific controls tested and the nature, timing, and results of those tests are included in\nexhibit C.\n\nRestricted Use\nThis report, including the description of tests of controls and results thereof in exhibit C, is\nintended solely for the information and use of NFC, user entities of NFC payroll/personnel\nand/or application hosting systems during some or all of the period from October 1, 2010, to\nJuly 31, 2011, and the independent auditors of such user entities, who have a sufficient\nunderstanding to consider it, along with other information including information about controls\nimplemented by user entities themselves, when assessing the risks of material misstatements of\nuser entities\xe2\x80\x99 financial statements. This report is not intended to be and should not be used by\nanyone other than these specified parties.\n\n\n\n\nGil H. Harden /s/\nAssistant Inspector General\n   for Audit\n\nSeptember 22, 2011\n\nWashington, D.C.\n\n\n\n\n1\n  In addition to the NFC controls we tested, the effective application of the complementary user entity controls\nreferred to in the scope paragraph of this report is necessary to achieve the related control objectives.\n\n\n\n\n    Report 11401-2-11                                                                                              4\n\x0cAbbreviations\n\nCSAM ......................... Cyber Security Assessment and Management System\nEmpowHR................... Human Capital Management System\nNFC............................. National Finance Center\nPOA&M...................... Plan of Action and Milestones\n\n\n\n\n  Report 11401-2-11                                                              5\n\x0cThe subsequent sections of the report exhibit A (pages 6\nthrough 26), exhibit B (pages 27 and 28), and exhibit C\n(pages 29 through 52) are not being publicly released due\nto the sensitive security content.\n\x0c"